Procedure for converting a username/password/IKEPSK RAP to cert-based CAP?

‎09-25-201304:07 AM

Hello,

We have a load of AP-65s and AP-105s which were deployed as username/password/IKEPSK RAPs -- we're really in a campus environment but it dates back to ArubaOS 3.x days (which was the version we first installed with) and wanting to be able to bridge VLANs out at the access point (which didn't become available on CAPs until ArubaOS 5.x). We have a little over 1,000 of these and getting physical access to them is difficult - we also don't control the switches to which they're attached, so it needs to be done remotely. Also, the range of addresses they're on means I can't whitelist them for auto-cert provisioning and I don't fancy opening things up everywhere.

I'd like to convert these to cert-based CAPs for consistency with our newer APs and also so we can rescind individual APs if they become stolen or lost. Obviously, the AP-65s need a switch certificate whereas the AP-105s can use a factory certificate.

I can't find any official procedure in the manual or otherwise to do this conversion. Given that there are so many to do, clearly I need a reliable process I can execute en masse (i.e. from the command line rather than the controller GUI [we don't have AirWave, if that would do it]).

Both of these are something I can easily script to generate big config files

This mostly seems to work although in my tests, I occasionally (perhaps 1 in 10) see an AP get "stuck" and fail to come back up. I'm not sure exactly what state it's in, but getting to the console, purging the boot variables, clearing the AP from the database and whitelist and booting it up as a fresh AP for auto-cert provisioning fixes it.

I don't know what causes this - if I'm doing something wrong (perhaps I have to wait until the cert whitelist syncs to the local controller before reprovisioning) or there's a fault with the AP - but I don't want this to happen on a wide scale!

Re: Procedure for converting a username/password/IKEPSK RAP to cert-based CAP?

‎09-30-201307:58 AM

Bob Franklin,

Unfortunately you would have to do this the way you are doing, because converting to a RAP to a cert-based CAP is not something that is done often. That means, there is no workflow for it. If you have difficulty with access points coming up, please open a support case so that they can check your steps.

******************Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.******************

Re: Procedure for converting a username/password/IKEPSK RAP to cert-based CAP?

‎09-30-201309:48 AM

Thanks - I wanted to check there wasn't a better way to do this, so at least I'm doing it the "official" way.

Actually, since I posted the question I've tried converting some more APs and have done about 300 now, using the above procedure and it's all worked OK, save two gotchas:

1. The thing which seems to be most important is the whiltelist having synced across the controllers - if the AP comes up in CAP mode without the whiltelist entry correct things can get jammed in the "unapproved" state (which can happen with the AP-105s as you have to modify the existing entry, after creating it: the new entry gets created fine but the type change to factory- from switch-cert can take a few minutes). Manually adjusting the state of the entry and waiting for the AP to restart seems to be OK, so far.

=> I solve this by loading the whiltelist entries and waiting 5-6 minutes for things to sync, before reprovisioning the APs.

Re: Procedure for converting a username/password/IKEPSK RAP to cert-based CAP?

‎11-08-201306:14 AM

One other thing to add which I've noticed over the last few days that doesn't appear to be documented: when an AP is set to state "

approved-ready-for-cert", this seems to expire after a few hours and reverts to "

unapproved-factory-cert". I'm not sure how long this takes but it's certainly less than a day.

This has caused a few issues with manually provisioning APs onto the system (including converting IAPs to CAPs) where I'm liaising with a remote member of staff: we have to make sure the two are done with a short while of each other.